U.S. Department of Justice 



Federal Bureau of Investigation 

Washington r D.C. 20535 

April 14, 2015 


MS, ALEXA O'BRIEN 



FOIPA Request No.: 1324716-000 
Subject: UJLZSEC 


Dear Ms. O'Brien: 

Records responsive to your request were previously processed under the provisions of the 
Freedom of Information Act Enclosed is one CD containing 63 pages of previous I y-processed documents 
and a copy of the Explanation of Exemptions. Documents or information originating with other Government 
agencies originally referred to that agency were not included in this release. This release is being provided 
to you at no charge. 

Additional records potentially responsive to your subject may exist. Please submit a new FOiA 
request if you would like the FBI to conduct a search of the indices to our Central Records System. 

Submit requests by mail or fax to - Initial Processing, 1 70 Marcel Drive, Winchester, VA 22602, fax 
number (540) 868-4997, 

For your information, Congress excluded three discrete categories of law enforcement and national 
security records from the requirements of the FOIA. Seo 5 U.S, C. § 552(c) (2006 & Supp, IV (2010). This 
response is limited to those records that are subject to the requirements of the FOIA. This is a standard 
notification that is given to all our requesters and should not be taken as an indication that excluded records 
do, or do not, exist. 

You may file an appeal by writing to the Director, Office of Information Policy (OIP), U.S. 
Department of Justice, 1425 New York Ave,, NW, Suite 11050, Washington, D.C. 20530-0001, or you may 
submit an appeal through Ol P's eFOIA portal at http :/ /wwvj.)usfice.qov/oio/efoia -port al.htm I . Your appeal 
must be received by OIP within sixty (60) days from the date of this ietter in order to be considered timely. 
The envelope and the letter should be dearly marked "Freedom of Information Appeal. 11 Please cite the 
FOIPA Request Number assigned to your request so that it may be identified easily. 


Sincerely yours, 

David M, Hardy 
Section Chief, 

R e co nd/I nf o rm at i on 
Dissemination Section 
Records Management Division 


Endosure(s) 




EXPLANATION OF EXEMPTIONS 


SUBSECTIONS OF TITLE 5, UNITED STATES CODE, SECTION 552 

(b)(1) (A) specifically authorized under criteria established by an Executive order to be kept secret in the interest of national defense or foreign 

policy and (B) are in fact properly classified to such Executive order; 

(b)(2) related solely to the internal personnel rules and practices of an agency; 

(b)(3) specifically exempted from disclosure by statute (other than section 552b of this title), provided that such statute (A) requires that the 

matters be withheld from the public in such a manner as to leave no discretion on issue, or (B) establishes particular criteria for withholding 
or refers to particular types of matters to be withheld; 

(b)(4) trade secrets and commercial or financial information obtained from a person and privileged or confidential; 

(b)(5) inter-agency or intra-agency memorandums or letters which would not be available by law to a party other than an agency in litigation with 

the agency; 

(b)(6) personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy; 

(b)(7) records or information compiled for law enforcement putposes, but only to the extent that the production of such law enforcement records 

or information ( A ) could reasonably be expected to interfere with enforcement proceedings, ( B ) would deprive a person of a right to a 

fair trial or an impartial adjudication, ( C ) could reasonably be expected to constitute an unwarranted invasion of personal privacy, ( D ) 

could reasonably be expected to disclose the identity of confidential source, including a State, local, or foreign agency or authority or any 
private institution which furnished information on a confidential basis, and, in the case of record or information compiled by a criminal law 
enforcement authority in the course of a criminal investigation, or by an agency conducting a lawful national security intelligence 
investigation, information furnished by a confidential source, ( E ) would disclose techniques and procedures for law enforcement 
investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions if such disclosure could 
reasonably be expected to risk circumvention of the law, or ( F ) could reasonably be expected to endanger the life or physical safety of any 
individual; 

(b)(8) contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for 
the regulation or supervision of financial institutions; or 

(b)(9) geological and geophysical information and data, including maps, concerning wells. 

SUBSECTIONS OF TITLE 5, UNITED STATES CODE, SECTION 552a 

(d)(5) information compiled in reasonable anticipation of a civil action proceeding; 

G)(2) material reporting investigative efforts pertaining to the enforcement of criminal law including efforts to prevent, control, or reduce crime 
or apprehend criminals; 

(k)(l) information which is currently and properly classified pursuant to an Executive order in the interest of the national defense or foreign 
policy, for example, information involving intelligence sources or methods; 

(k)(2) investigatory material compiled for law enforcement puiposes, other than criminal, which did not result in loss of a right, benefit or 

privilege under Federal programs, or which would identify a source who furnished information pursuant to a promise that his/her identity 
would be held in confidence; 

(k)(3) material maintained in connection with providing protective services to the President of the United States or any other individual pursuant 
to the authority of Title 18, United States Code, Section 3056; 

(k)(4) required by statute to be maintained and used solely as statistical records; 

(k)(5) investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian 
employment or for access to classified information, the disclosure of which would reveal the identity of the person who furnished 
information pursuant to a promise that his/her identity would be held in confidence; 

(k)(6) testing or examination material used to determine individual qualifications for appointment or promotion in Federal Government service 
he release of which would compromise the testing or examination process; 

(k)(7) material used to determine potential for promotion in the armed services, the disclosure of which would reveal the identity of the person 
who furnished the material pursuant to a promise that his/her identity would be held in confidence. FBI/DOJ 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 


Date: 10/03/2011 


To: Albany 


From: 


Albany 


Contact : 
Approved By: 
Drafted By: 


"SA [ 


w 


6 


bo 

b7C 


:dia^)|r 


-t JEW ifl^^iding)/^ 


Case ID #: 288A-AL 


Title: /ANONYMOUS - HACKTIVISTS; 

LULZSEC - HACKTIVISTS; ) 

BACKTRACE SECURITY - HACKTIVISTS;.- 
ET AL - HACKTIVISTS; 

.COMPUTER INTRUSIONS _-<•' 


Synopsis : 


NTP-014 

CRINT-C 


0* 


fl 


f0 



! f 

* * 


V '■ 

\ \ 

Si ! 


blE 


[ 


Full Investigation Initiated: 
Details : 


10/03/2011 


The Albany division is opening 

to investigate the activities or the captioned 


b7E 


hacker groups. Albany has recently opened a CHS who is in a 
position to provide significant intelligence on the captioned 
groups . 

By way of background. Anonymous is a hacktivist group 
that originated in 2003 on the 4chan imageboard. In its early 
days, Anonymous members were a largely decentralized online group 
acting in a loosely coordinated manner. Starting in 2008, the 
group became associated with international hacktivism and has 
claimed responsibility for several computer intrusions and 
Distributed Denial of Service (DDoS) attacks. Some of the more 
well known victims of attacks attributed to Anonymous include 
Sony, Church of Scientology, and HBGary Federal. 

By way of background, Lulz Security (LulzSec) is 
hacktivist group that has claimed responsibility for severa 

UNCLASSIFIED 



V7 ii'VCO. Cc.wpd 





*.1 




UNCLASSIFIED 


To: Albany From: Albany 

Re: 288A-AL-NEW, 10/03/2011 


computer intrusions and incidents of "doxing". "Doxing" is the 
practice of releasing personal and confidential information about 
persons and organizations including contact information, 
biographical information, usernames, passwords, and other 
sensitive data. Some of LulzSec's targets have included Sony and 
various government and law enforcement organizations. 

In June 2011, Albany executed a rrest and search _ ; b7A 

warrants on an identified LulzSec member I I • This 

individual was residing in Albany's AOR and was actively 
participating i-n high profile intrusion activity attributed to 
LulzSec. 


By way of background, BackTrace Security is a hacker 
group that spun off of Anonymous because they disagree with the 
current direction that Anonymous has taken. Backtrace Security 
does not believe in the political hacktivism activities that 
Anonymous has claimed responsibility for lately. One of the 
goals of Backtrace Security is to put an end to the current 
incarnation of Anonymous. Backtrace Security has also attempted 
to identify members of LulzSec and shut down their operations. 

| |has agreed to work with the 

writer I ~l 


b7D 


| is the second Albany CHS to be opened in the 

past year that has verified ties to identified hacker groups 

responsible for criminal computer intrusion activity. I I 


| as deemed appropriate by the case 

agent . 

It is requested that a case be opened and assigned to 

sa| 1 


be 

b7C 


♦♦ 
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FD-1023 

(07/24/2010) 


FEDERAL BUREAU OF INVESTIGATION 

CHS REPORTING DOCUMENT 


HEADER 

Source ID I I ~ 


Date: 10/07/2011 

Case Agent Name: 

Field Office/Division: Albany 
Squad I 


be 

b7C 

b7D 


Date of Contact: 10/05/2011 

List all present SA 

including yourself. 1 

(Do not include 
the CHS.): 

Type of Contact: e-Mail 


Date of Report: 10/05/2011 


Substantive Case File Number: 288A-AL-49289 



Substantive Case File Number: 803I-AL-48481 


Source Reporting: The following information was provided via email by CHS between 09/20/2011 and 

10/05/2011. The information was volunteered by CHS. It was not the result of a 
tasking. The information was not specifically requested by the handling agent. The 
information was provided on a confidential basis prior to the admonishment of CHS: 
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Signed by: 



$ Click here to sign this section 
^ Signed by| | View details 

^ on Friday, October 07, 2011 5:20 PM (Eastern Daylight Time) 


^ Signed by| 


View details 


on Tuesday, October 11, 2011 3:36 PM (Eastern Daylight Time) 


bo 

b7C 
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FEDERAL BUREAU OF INVESTIGATION 
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FD-1023 

(07/24/2010) 


FEDERAL BUREAU OF INVESTIGATION 

CHS REPORTING DOCUMENT 


HEADER 

Source IDl ~~ I 


Date: 10/07/2011 

Case Agent Name 

Field Office/Division : Albany 

Squad 


Date of Contact: 09/22/2011 

List all present s 
including yourself, s 
(Do not include 
the CHS.): 

Type of Contact: in Person 



be 

b7C 

b7D 


Country: UNITED STAT ES 

City: I 
. State: 

Date of Report: 09/22/2011 


Substantive Case File Number: 288A-AL-49289 


'3 


Source Reporting: 


On 09/22/2011, after being advised of the identity of the interviewing agents and the 
nature of the interview, CHS provided the following: 


b7D 
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Date: 10/07/2011 


Case Agent Name: | 

Field Office/Division: Albany 
Squad! 


Date of Contact: 09/29/2011 

List all present sa 

including yourself. 1 

(Do not include 
the CHS.): 

Type of Contact: in Person 


b6 

b7C 

b7D 


Country: UNITED STA TES 

City:! - 

State: 

Date of Report: 09/29/2011 


u 

Substantive Case File Number: 288A-AL-49289 ^ 


be 

b7C 


Source Reporting: 


On 09/29/2011, S/| piet with CHS at his home. After being advised of the identity of 

the interviewing agent and the nature of the interview, CHS provided the following: 


b6 

b7C 

b7D 
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& Click here to sign this section 


. v Signed b J 1 View details 

m on Friday, October 07, 2011 3:58 PH (Eastern Daylight Time) 

** Signed b\ | | View details 

^ on Tuesday, October 11, 2011 3:48 PH (Eastern Daylight Time) 


bo 

b7C 


FD-1023 (07/24/2010) 


FEDERAL BUREAU OF INVESTIGATION 
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UNCLASSIFIED 

FD-1023 

FEDERAL BUREAU OF INVESTIGATION 

( 07 / 24 / 2010 ) 

CHS REPORTING DOCUMENT 


HEADER 


Source ID:| 

Date: 10/07/2011 

Case Agent Name: | ~ 

Field Office/Division: Albany 
Squad :| 


Date of Contact: 10/06/2011 

List all present SA 
including yourself. 

(Do not include 
the CHS.): 

Type of Contact: in Person 


be 

b7C 

b7D 


Country : UNITED STATE S 

Cityl 

State 

Date of Report: 10/06/2011 


Substantive Case File Number: 288A-AL-49289 




Source Reporting: on 10/06/2011, after being advised of the identity of the interviewing agent and the 

nature of the interview, CHS provided the following: 


Signed by: 


b6 

hi C 
b7D 


J®. Click here to sign this section 
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s| 9 ned b)A j 

on Friday, uctooer u/, 


View details 

2011 3:59 PM (Eastern Daylight Time) 


w Signed bj 

*"* Tl 


View details 


on Tuesda^7TTTturorTT7TnTrt:49 PM (Eastern Daylight Time) 



be 

b7C 


FD-1023 (07/24/2010) 


FEDERAL BUREAU OF INVESTIGATION 
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FD-1023 

(07/24/2010) 


FEDERAL BUREAU OF INVESTIGATION 

CHS REPORTING DOCUMENT 


HEADER 

Source ID: 

Date : 11/07/2011 

Case Agent Name: 

Field Office/Division: Albany 

Squad: | 


Date of Contact: 11/04/2011. 

List all present SA 
including yourself. 

(Do not include 
the CHS.): 

Type of Contact: in Person 


be 

b7C 

b7D 


Country: UNITED STATES 

City I 

State 

Date of Report: 11/04/2011 


Substantive Case File Number: 288A-AL-49289 



Source Reporting: On 11/04/2011, CHS provided the following: 


Signed by: 


bb 

b7C 

b7D 


Jt Click here to sign this section 

Signed by l I View details 




on Monday, November 07, 2011 11:20 AM (Eastern Daylight Time) 


w Signed by| | View details 

^ on Monday, Novemoer u/, 11:30 AM (Eastern Daylight Time) 


bo 

b7C 
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FEDERAL BUREAU OF INVESTIGATION 
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FD-1023 

FEDERAL BUREAU OF INVESTIGATION 

(07/24/2010) 

CHS REPORTING DOCUMENT 


HEADER 


Source ID : l I 

Date: 02/08/2012 

Case Agent Name ] 

Field Office/Division: Albany 
Squad: 


Date of Contact: 02/07/2012 

List all present SA 

including yourself. 1 

(Do not include 
the CHS.): 

Type of Contact: in Person 


Country: UNITED STATES 

Cityj 

State 

Date of Report: 02/07/2012 


Substantive Case File Number: 288A-AL-49289 



Source Reporting: On 02/07/2012, CHS provided the following: 


Signed by: 


.8 Click here to sign this section 


Signed by| | View details 

° on Wednesday, February 08, 2012 10:10 AM (Eastern Daylight Time) 


Signed by[ 


] View details 


on Thursday, February 09, 2012 4:08 PM (Eastern Daylight Time) 
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FEDERAL BUREAU OF INVESTIGATION 
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FD-1023 


( 07 / 24 / 2010 ) 


FEDERAL BUREAU OF INVESTIGATION 

CHS REPORTING DOCUMENT 


Source ID} 

Date : 11/28/2011 

Case Agent Name: 

Field Office/Division: Albany 
Squad J 


Date of Contact: 11/24/2011 

List all present sa I 
including yourself. 

(Do not include 
the CHS.): 

Type of Contact: e-Mail 



HEADER 


Date of Report: 11/24/2011 
Substantive Case File Numbe r: 01 5 I u Alr“4 83<) l - €yb eE- 


Source Reporting: On 11/24/2011. CHS emailed S£ 
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Signed by: 


& Click here to sign this section 
^ Signed ir j I View details 

** on Monday, November 28, 2011 2:05 PM (Eastern Daylight Time) 

i 1 


Signed by| View details 

^ on Tuesday, November 29, 2011 9:12 AM (Eastern Daylight Time) 
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UNCLASSIFIED 

FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 


Date: 04/23/2012 


To : Cyber 


l/De. 


etroit 


Attn: SA 

Attn : SA 


be 

b7C 


From: 


Detroit 

Grand Rapids RA/St. Joseph RA 
Contact: SA 


Approved By: 
Drafted By: 


'A 


Case ID #:^288A-DE-106943 '(Pending) 


1 


be 

b7C 


(108ebm01 . ec) 


Title: 


UNSUB (S) , AKA 
Anonymous 
Evil 


IRC, 


.u v u. a. Security, . 

AntiSec Cutthrodt Committee, 


DeathToSnit Che's 



Anonymous , 


Cutthroat , 


LulzSec, 


The Lul zKnight s ; 

BERRIEN COUNTY, MICHIGAN, GOVERNMNENT - 
COMPUTER INTRUSION - CRIMINAL MATTER 


Synopsis: EC to open 


por captioned case. 


b7E 


Enclosure (s) : Copy of Berrien County Sheriff's Department 

report regarding incident number 2012-00004061 with several 
attachments . 


Details: On 04/16/2012, SA 

regarding captioned matter. Berrien Count 
Department (BCSD) Detective [ 


£ 


| was contacted 
Michigan, Sheriff's 


provided the details 


b6 

b7C 


of the incident as well as the printed copy of the defaceme nt of 
the Berrien County external website. Detective " "" 


explained that hackers had illegally entered the BCSD website and 
removed files without authorization while defacing the website. 

A copy of this defa cement — a^s— afe-bache d— tQ this EC_. The ^d efacement 
Lcluded the names Antis ec. Cutthroat Committee, #Ant: ^ 


€ 2 iuded the names /Anbi sec, cutthro at Committee, #A 
iathToSnitches^ Synonymous , #Cut throat, #LulzSec 

- 7 

x UNCLASSIFIED 7 
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/ 
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n 

CAPTION:; 


b7C 


- <-f*2 





UNCLASSIFIED 


To: Cyber From: Detroit 

Re: 288A-DE-106943, 04/23/2012 


, iul zKni'gth fee 4 ^ — . The defacement also provided links to: 
https yy/twit ter . com/ Anonymous IRC \and 
httpsQ //twitter . com/Evilsfecurity ^ Additionally, a BCSD file 
"Tigtring usernames ana password's - for users of the 
berriencounty.org website was compromised and taken. Numerous 
braggadocios statements were included with anti -government and 
anti-law enforcement comments. 


Also on 04/16/2012, SA L 
A met with Berrien Countv 


E 


knd BCSD Detective 


I 


,49085, telephone number 


[Micnida ri* 


] advised that the BCSD 


external website yas hosted” by an outside interne-/ contr 
E Internet Designs, in Kalamazoo, Michigan. Contact by|_ 


actor. 


with this company determined that logs could possibly be obtained 
showing Internet Protocol (IP) addresses that accessed the 
victimized we bsit e around the time of the intrusion. 

Additionally, | 


had been set 
intrusion. [~ 
set up with 
re-enter 


advis ed that an unkno wn employee account 


up in 


the name 
believed 


] around the time of the 

this to be a fictitious user account 


administra tive priv ileges so the hacker could 
the website. I I provided a copy of the user 


accounts for the Berrien County website and put an asterisk 
to the name of the fictitious account which was created on 
04/15/2012, at 12:16 a.m. 


next 


Captioned FBI investigation should be opened to 
investigate this matter and determine the perpetrator (s) of this 
intrusion and defacement of the Berrien County in 
The estimated economic loss will be calculated by 
relation to this incident. 


j:ernet we bsite . 
in 


UNCLASSIFIED 



UNCLASSIFIED 


To: Cyber From: Detroit 

Re: 288A-DE-106943 , 04/23/2012 



LEAD ( s ) : 

Set Lead 1: (Action) 

CYBER 

AT WASHINGTON DC 


For information and whatever action deemed appropriate. 


♦♦ 


UNCLASSIFIED 
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Berrien County Sheriff Case Report 

Summary 


Print Date/Time: 04/23/201 2 1 2:25 

Login ID: I I 

Case Number: 2012-00004061 

Case 


BERRIEN COUNTY SHERIFF DEPARTMENT 

OR! Number: MI1111100 


Case Number: 2012-00004061 

Location: 919 PORT 

ST JOSE PH, Ml 49085 
Reporting Officer ID: 158 \ 


Incident Type: 
Occurred From: 
Occurred Thru: 
Disposition: 
Disposition Date: 
Reported Date: 


Damage to County Property 
04/14/2012 00:00 
04/15/2012 00:00 


04/17/2012 08:43 Tuesday 


Offenses 


No. 

Group/ORI 

Crime Code 

Statute 

Description 

Counts 

1 

State 

29000 

2997 

Computer Uses in Commission of 

1 

2 

Mill 11 100 

9939 

9939 

Computer Forensics Team 

1 


Subjects 



Other 

Other 

Victim 


Witness 


2 E Internet Designs 



Berrien County Sheriffs 
Department 





UNKNOWN 

KALAMAZOO. MI 

919 PORT (269)983-7141 

S T JOSEPH. M I 49 Q 85 


White 


White 


Male 


Male 


Arrests 

Arrest No. 

Name 


Address 

Date/Time 

Type Age 

Property 

Date 

Code 

Type 

Make 

Model Description 

Tag No. Item No. 

04/17/2012 

Seized 

07-Computer 

Hardware/Softwar 

e 

Lexar USB Drive, model N12610 

Vehicles 






No. Role 


Vehicle Type 

Year Make 

Model 

Color License Plate State 


ORIGINAL 

ASSIGNMENT: 


On 04/15/12, R/O was contacted by|_ 


]of the BCSD indicating that unknown individuals had entered 


onto the Berrien County Sheriffs Dept, website and removed all items that were placed bnto the website and replaced 
those with their own items and also listing numerous e-mails and passwords for county employees. 


CONTACT WITH 


PF THE BCSD: 


bb 

b7C 


bb 

b7C 


b6 

b7C 


Paae: 1 of 5 



yyc^flflriiii'WTn^’TrrrnTTT 



Berrien County Sheriff Case Report 

Summary 


Print Date/Time: 04/23/20 12 12:25 

Login ID: I I 

Case Number: 2012-00004061 


BERRIEN COUNTY SHERIFF DEPARTMENT 

ORI Number: MI1111100 


be 

b7C 


On 04/15/12 at approximately 2100 hours, R/O contacted [ k /ia telephone, who indicated to R/O 

that on this date, he attempted to enter onto the BCSD website, which is identified as www.bcsheriff.org, at wh ich time he 
observed t hat the website had been altered and none of the BCSD files could be accessed. It should be noted] 


is an administrator for this website and assisted in building this website. 


|at this time advised R/O that he began to view items that were listed on the website which neither he 
nor any employees had posted on there and observed there were several items referring to a group identified as Antisec, 
along with the group Anonymous. 


Additionally, | l advised he observed an e-mail list that had been posted on the site which had not been be 

placed there by him or any other person legitimately accessing the site. In reviewing this e-mail list, he found that some b7c 
of the e-maiis contained names, passwords and e-mail addresses for numerous county employees, including judges and 
prosecutors. 


Jadvised he did pri nt out what he wa s able to from the site, which included approximately 40 pages of 


documents, along with the e-mail list.f 

lL A_ J.I " ^11 A? Al A ?A -I At _ 


[ indicated to R/O that he immediately contacted a supervisor to bring 
it to their attention that it appeared that the BCSD site had been accessed illegally and altered and that since that time he 
has attempted to re-access the site, however, it appears that it had been taken down by either the web page provider, 
which was identified as E Internet Designs or the Berrien County Computer Services. 


[ 


taken off the internet. 


indicated he would forward a copy of the documents that he was able to print off prior to the site being 


REVIEW OF DOCUMENTS FROM 


On 04/16/12, R/O received a faxed copy of the items printed out bv l I In reviewing those items, the first 

couple items are texts that appear to be items placed onto the site from the individuals that illegally accessed the BCSD 
website. 


be 

b7C 


At the top, it indicates Antisec Cutthroat Committees. 

Below that it indicates Antisec Death to Snitches Anonymous Cutthroat and Lulz Sec 

From there, R/O observes there are several sayings in reference to the Antisec fallen friends that possibly had been 
arrested in reference to what R/O believes is the same type of behavior. Further down on the second page it indicates 
Welcome to this new addition to the #SSS and (Shoot the Sheriff Sunday) signed by the Lulz Knights. 

Below that it indicates bcsheriff.org mail in loot. After that it indicates several websites that individuals can follow the 
group responsible for this act on the internet. There are two Antisec crew Twitter sites which are identified as 
https://twitter.com/anonymousirc. The second is https://twitter.com/evilsecurity and a chat which is identified as 
irc.anonops.li#antisec. 


Oh 


On the ne xt page, R/O observes that the individuals posted the user name for this site as Berrien C, with a password 
It should be noted, this is, in fact, believed to be the password for accessing the Sheriffs Dept, site, along 


b7E 


with the password for E Internet Designs which is the designer of this webpage. 


The next group of files are numerous pages of e-mail user names/user ID's, passwords, and e-mail addresses. There 
are numerous pages of these which R/O has reviewed and observes that these are Sheriffs Dept./county employees, 
along with a lawyer group that conducts business through the Berrien County Courts. 


On what R/O will refer to as page #16 (which is stamped at the top of the page via a fax machine), R/O observes that 
at the bottom of this page the last line indicates root+.pts/O April 14th at 2333 hours 0048 32337 (Antisec). This is 
believed the approximate time where the illegal access to this site was taking place. The actual start date and time is not 
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In further reviewing the items supplied to R/O by | R/O observed on page #25 and #26, several IP 

addresses that are shown and previous to these IP addresses, it indicates grant all privileges on root@65.183.182.120 
along with IP address 99.155.145.32. R/O did check the IP addresses through the on-line search engine Geek Tools and 
found that the first IP address, being 65.183.182.120, is registered to the Internet service Raser-Tone out of Grand 
Rapids, Ml. The second being 99.155.145.32, is registered to AT&T Internet Services. A copy of those look-ups will be 
attached to this report. 


An additional IP address located by R/O is identified on page #37 of the information supplied byl 


That 

again is prefaced by grant all on to rnnt@ 7 n ir? Q3 qd iHpntifjpH by E Internet Design, which appears to be the password 

for that company. It is spelled as follows] | R/O performed a "who is searched" on the on-line web 

service Geek Tools and found that the IP address 70.162.93.90 is registered to Cox Communications out of Atlanta, GA. 
A copy of that look-up will also be attached to this report. 


bo 

b7C 

b7E 


A copy of the entire information tha' 


supplied to R/O will be attached to this report. 


TWITTER AND FACEBOOK SEARCHES: 

R/O searched the Twitter account listed on the information that was placed onto the county website and in checking 
Antisec on Twitter, R/O found that Antisec appears to be associated with Anonymous, along with the Anonirc. R/O does 
observe some texts that appear to be similar from the Twitter account to the information that was uploaded to the Sheriffs 
Dept, webs ite which is the saying "we are legion expect us". This is found on page #44 of the items supplied by | | 

A copy of the Twitter page will be attached to this report also. 


be 

b7C 


FACEBOOK INFORMATION: 

R/O was supplied a copy of a Facebook posting under the URL https//www.facebook.com/antisecops. In reviewing 
the posting on that Facebook account, which appears to have the date of Monday at 4:26 a.m., Antisec shared a link 
Sunday and for other news for teh shit and giggles a handy defacement: 

http://www.bcsheriff.org/bahahahaantis3curityops. Below that it indicates Berrien County Sheriff's Department 
www.bcsheriff.org zip tips. There are several comments from people below, which the entire document will be attached 
to this report for review. 

Again, at the back of the Facebook page under the mission statement of antis3curityops the text "we are legion 


%-/ • I w/ _ 

expect us" is also seen on this site as in the information supplied to R/O by|_ 
attached Facebook document. 


For further details, see the 


b6 

b7C 


INTERVIEW WITH 


On 04/16/12 R/O, along with S//T 
Berrien County Courthouse.! 


of the FBI, interviewed" 

it. - /-\ .i • H 


|in her office at the 
Jworks in the Computer Services uept. tor the county of Berrien. 


R/O supplied a copy of the information supplied to R/O by[ 


K 


b6 

hlC 


]and requested she 


review the e-mail addresses, along with the passwords that were posted on the Sheriffs Dept, website, 
advised the R/O that this list appeared to be an older list of persons that had apoess to the Berrien County e-mail service, 


] 


id aci 
ite.l_ 
lerifT 


which several years ago used to be operated from the Sheriffs Dept, website 
is no longer valid and that the e-mail service does not operate out of the Sheri 

OFFICER NOTE: 


advised R/O that this list 
s uept. website any longer. 


R/O did check several of the e-mail and passwords with several employees to determine if these passwords were 
current and R/O was advised these were older passwords, approximately 4 to 5 years ago, and were no longer valid, 
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BERRIEN COUNTY SHERIFF DEPARTMENT 
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I I ndicated to R/O that the webpage for the Berrien County Sheriffs Office, along with the County of 

Berrien, are sister pages that are maintained by the web service E In ternet Designs and a re maintained by that c ompany. 
At this time R/ O was supplied two contact nam es and numbers being b f E Internet Designs at| ^ 

i H| Z I 

I l arivisfiri R/O that once it was discovered that the Sheriffs Dept, w ebpage had been a ccessed and 

changed illegally, she contacted the internet and the webpage was taken out of service. \ A dvised R/O's 

that she then searched who had accessed the Berrien County site recently and observed a name and date that was 
somewhat s uspicious to her. T his was identified as sj t who last accessed the website on 04/15/1 2 at 

0016ho urs. | l advised R/O that she has checked with E-Internet Designs and has determined t hat! I 

tf no t an employee of E Internet Designs and is not an employee or valid user from the County of Berrien . \ 

A dvised she has not deleted this account, however, has changed the password for that user so that he is 
unable to access that account. 


It should be noted, that 04/15/12 at 0016 hours is on or about the time that it appears the illegal access to the website 
took place. 


CONTACT WITH 


While in i l office. she made contact with 

place via speaker phone with him. 

| (indicated that his company, E Internet Designs was able to capture the log files for the date and 

time in question and indicated he would supply a copy of all those log files to this departme nt for follow-up investigation. 

It should be noted, during the conversation with l I the actual County of Berrien 

had also been accessed by the suspects, however, the only defacement that to ok place on the Cou nty of Berrien site was 
several links were placed onto the webpage which have been since removed by | "( These web links were 

similar to those posted on the Sheriffs Dept, site by the suspects. 

FILES RECEIVED FROM E INTERNET DESIGNS: 


k/ia telephone and a conference call took 


On 04/19/12, R/O received a USB flash drive from E Internet Designs and downloaded that file to R/O's computer. In 
reviewing those files, R/O reviewed the accessed log file for the approximate date and time that this incident took place, 
however, was not able to locate any visible suspects from the access log file. 

i 1 b6 

R/O has re-contacted | |at E Internet Designs for assistance in going through the remainder of the b7c 

files which are approximately 10GB in size with one of the E Internet Designs techs to see if any useful information can 
be obtained from the additional files. 


INFORMATION FROM S/A 


]oF THE FBI: 


R/O has been in contact with S/A | | who took part in the interview wit H 1 S/A l I 

indicated that his agency has an open case on the groups Anonymous and Antisec and that his agency would be willing 
to assist in the investigation of this complaint. 


b6 

b7C 


OFFICER’S REMARKS: 


During the initial assessment of what the suspects had done on the Berrien County Sheriffs website, it was believed 
that all files had been removed by the suspects, along with all backup files. However, upon further examination, backup 
files were located by E Internet Designs and the Berrien County Sheriffs website has been reinstated in full and it does 
not appear that any of the original files are missing. 
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Summary 


Print Date/Time: 04/23/201212:25 BERRIEN COUNTY SHERIFF DEPARTMENT 

Login ID: I I ORI Number: MI1111100 

Case Number: 2012-00004061 

STATUS: 

This complaint remains open and under investigation. 


Reviewed By 


Date 


Dispo Code 


Date 


Assigned To 


Date 


Routing: 



Apr. 16. 2012 12:30PM Berrien County Sheriff Dept 


No. 0928 P. 3 


AnfciSeo Cutthroat Committee 



#Antisec 

\ _ /\_ \ / 

#DeathToSnitches 

I M I / \I 

#Anonymous 

/_ — _\ ( /_ 

#Cuechroat 

l_H_l \/ 

#Lul 2 Sec 


/ l_l_l 

\ \ I / ,// 

I \ II l\ \\ 

I /_l l_/ , >\_ 

\/ 


\_/ \ 

A \ 

>\ > 


\/ \/ 


& 


* ANTISEC S1APPING YOUR SECURITY WITH OUR COCKS** 


LOVE TO LULZSEC / ANTI SEC FALLEN FRIENDS 

THOSE WHO TRULY BELIEVED WE COULD MAKE A DIFFERENCE 

freedom n2w SE BUSTED AN0NS ' FRIENDS who Are fi ^ting FOR THEIR OWN 


LOVE TO THOSE WHO SIGHTED FOR THEIR FREEDOM IN TUNISIA, EGYPT, LIBYA 
SYRIA, BAHRAIN, YEMEN, IRAN, ETC AND ETC AND ETC 


Apr. 16. 2012 12:31PM Berrien County Sheriff Dept 


Jo. 0928 P. 4 


LOVE TO THOSE WHO FOUGHT FOR FREEDOM OF SPEECH, FOR A REAL DEMOCRACY, 

■i 

FOR A GOVT FREE OF CORRUPTION, • 

FOR A FREE WORLD WHERE WE ARE ABLE TO SHARE OUR KNOWLEDGE FREELY 
LOVE TO THOSE WHO FIGHT FOR SOMETHING THEY BELIEVE IN * 

WE ARE ANTISEC 

WE LL FIGHT TILL THE END 

WE ARE THE KNIGHTS OF THE LUL2, 

WE INHABIT YOUR DREAMS AND SHADOWS. 


hello dear friends! 


Welcome to this new edition of #SSS (Shoot the Sheriff Sunday) 


The LulzKnights . 


ALL YOUR BASE ARE BELONG TO 


Mar k°T wain)" become a knight of the Kin 9 dom of Dreams and shadow 


/* bcsheriff .orq Mail and Loot 



Apr. 16. 2012 12:31PM Berrien County Sheriff Dept 


No. 0928 P. 5 


Follow the Antisec Crew: https : //twitter . com/Airionwnr.iiaTRr 
Follow the Antisec Crew: https : // twitter . com/EvilRecuriby 
Chat: irc.anonops.li #antisec 



The Unknown 
As we know, 

There are known knowns. 

There are things we know we know. 

We also know 

There are known unknowns. 

That i$ to say 

We know there ar*e some things 
We do not know, 

But there are also unknown unknowns, 
The ones we don't know 
We don't know. 


D. ft. Rumsfeld 

(American poet and drag queen) 


Apr, 16. 2012 12:31PM Berrien County Sheriff Dept 


No. 0928 P. 6 



Plain Text? and they call what we do a oxime,. nomnomnonmonm 


$ho5tname_systemDB = "localhost"; 
$database_systernDB = "becrienconnty_test_org" f - 
5 u s e r n aro e_ s y s t em D B = “berrienc" ; 
$password_systemDB = "b3rrl3no''; 

$hostname_rsSupport = “localhost"; 
$database_rsSupport = "einternetdesign_com"; 
5 username_rsSupport - " eid_domain_us ex “ ; 
$passwoxd_rsSuppoxt *» 
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XFINTTY Connect Fw: Anonymous 


http://szD008.ev.mail.conicastnet/zini>ra/mail?view : =msg&id=52200 


Home TV Connect Account Shop Hefc | seaxity 

Email Usage: 0% of 10 GB 


Sgn Out 


EmaB Search 


Folders 

Inbox (56) 
Sent 

Drafts (12) 
Spam 
TVash 
bo 

BTCU 
Hook 
my pics 
realtor 
travel 


Home Email Vafce Address Book Calendar Preferences Fw: Anonymous 

New Get MaO Reply Reply to AH Forward Delete Hove Spam Print 

close Fw: Anonymous "Amhony v. 

' + Add to Adt 

Sent By: j fc lc.fci.gov> OmApr 04/24/ 12 1028 AM 

To: 1 b conca5t.net> 

Possible hacker lead. 


Original Message 

From: I I 

To: 

Cc: 

Sent: Thu Apr 19 21:50:42 2012 
Subject: Re: Anonymous 

SA l h here is what I have from a sub-source: 

One of our analysts observed what looks like a dump of data from the Berrien, MI Sherriff's office on Pastebin. 

http: //pastebin. com/raw.php?i»bydTpuQ9 

The dump itself hosted at depo3itfiles.com ( 

http://depositfiles.com/files/ls2zz3uvs) and consists of a -44m tarball. Purportedly contains public records as well 
LE-sensitive info. 


b 6 
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Froi^ 

To: 

Cc: 


Original Message 


Sent: Thu Apr 19 21:47:48 2012 
Subject: Re: Anonymous 
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PROMOTIONS 




Someone 
Searched for U? 


“Raspberry Pill 
/J Bums Bodvfat" 


| 

r MlrAo M Feedback 


© 2012 Comcast Cable Communicator Privacy Statement 


Terms of Service Contact Us 


Add Comcast Services Tel Us What You Think 


lofl 


4/24/2012 10:50 AM 



http://pastebiacom/raw.php?i=bydTpuQ9 
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LOVE TO LULZSEC / ANTISEC FALLEN FRIENDS 

THOSE WHO TRULY BELIEVED WE COULD MAKE A DIFFERENCE 

LOVE TO THOSE BUSTED ANONS, FRIENDS WHO ARE FIGHTING FOR THEIR OWN FREEDOM NOW 
LOVE TO THOSB WHO FIGHTED FOR THEIR FREEDOM IN TUNISIA, EGYPT, LIBYA 
SYRIA, BAHRAIN, YEMEN, IRAN, ETC AND ETC AND ETC 

LOVE TO THOSE WHO FOUGHT FOR FREEDOM OF SPEECH, FOR A REAL DEMOCRACY, 

FOR A GOVT FREE OF CORRUPTION, 

FOR A FREE WORLD WHERE WE ARE ABLE TO SHARE OUR KNOWLEDGE FREELY 

LOVE TO THOSE WHO FIGHT FOR SOMETHING THEY BELIEVE IN 

WE ARE ANTISEC 

WE LL FIGHT TILL THE END 

WE ARE THE KNIGHTS OF THE LULZ, 

WE INHABIT YOUR DREAMS AND SHADOWS. 


hello dear friends* 

Welcome to this new edition of #SSS (Shoot the Sheriff Sunday) 
- The LulzKnights. 


ALL YOUR BASE ARE BELONG TO 

a- 'a- »a- 'a- 'a- 'a- % a- % a- 'a- 'a- *a- 'a- % a- 'a- 'a- 'a- 'a- 'a- % a- 'a- 'a- '.a- 'a- 'a- 'a- 'a- % a- 'a- 'a- % a- x a- 'a- 'a- 'a- 'a- 'a- 'a- x a- 'a- 'a- % a- 'a- 'a- 'a- 'a- 'a- 'a- 


/* And so I am become a knight of the Kingdom of Dreams and Shadows {- Mark Twain) 

/* bcsheriff.org <a href» ,, http://itdr.cr/OMOU6QPN ,, >Mail and Loot</a> 

Follow the Antisec Crew: <a href «"https:// twitter. com/ AnonymousIRC">https:/ /twitter. com/ AnonymousIRC</a> 
Follow the Antisec Crew: <a href “"https :// twitter. can/ EvilSecurity">https: //twitter. com/ EvilSecurityC/ a> 
Chat: irc.anonops.li #antisec 


a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- x a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- *a- x a- *a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 

<br> 

The Unknown 
As we know. 

There are known knowns. 

There are things we know we know. 

We also know 

There are known unknowns. 

That is to say 

We know there are some things 
We do not know. 

But there are also unknown unknowns. 

The ones we don’t know 
We don’t know. 

D.H. Rumsfeld 

(American poet and drag queen) 

<br> 

a- 'a- *a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- 'a- % a- 'a- 'a- 'a-'a-'a-'a-'a-'a- 'a- 'a- 'a- x a- 


pwn'd thankyou 

EAT COCK 

<brXstrong> 

We are Legion 
We do not forgive 
We do not forget 
Expect Us 


</font> 

</pre> 

</body></html> 
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ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 


DATE: 03-07-2013 
CLASSIFIED BY NSIC0/J9674TS2 
REASON: 1.4 (b, c, d) 
DECLASSIFY ON: 03-07-2038 


CONFIDENTIMj^^EB^^iQ^REL^TO^USA^ROU 

FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 

To: Cyber Attn 

Jacksonville Attn 

International Operations Attn 

From: Bucharest 

Contact: ALAT 

Approved By : 

Drafted By: :ap 

Case ID #:| I (Pending) 


Date: 05/10/2012 


Attn: 



SSA 

Attn: 

SA 

Attn: 

SA 

Eurasia Unit 



(Pending) 

(Pending) 


Title : 



















LEAD ( s ) : 

Set Lead 1: (Info) 

CYBER 

AT CCU-1, DC 
Read and clear. 

Set Lead 2: (Info) 

JACKSONVILLE 

AT JACKSONVILLE. FL 
Read and clear. 

Set Lead 3s (Info) 

INTERNATIONAL OPERATIONS 

AT EURASIA UNIT. DC 
Read and clear. 

♦♦ 



4 



ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 


^DA 


ATE: 03-07-2013 
CLASSIFIED BY NSICG/J9674T52 
AS ON: 1.4 ( c f d) 

DECLASSIFY ON: 03-07-2038 


(C) 


(C) 


From: 

(BO)(FBI) 

2012 3:35 AM 

~l 

Sent: Thursday, May 10, 

To:| 


Subject: More Anonymous inf 




EL TO USA, ROU 



Classification: CONF 

Classified By: F77M68K14 
Declassify On: 20370510 
Derived From: FBI NSISJ>^009'0615 


All, 

Here's the latest frorr| 
classification. 


they've been pretty busy. Please note the 


b6 

blC 


hi 

b3 


hi 

b3 


(CJ 


There are a number of new US victim s, includ ing .mil, and plans for future targeting, like centcom.mil. 
(I'm sure you know people over ther j [ -) 


Assistant Legal Attache 

Legat Bucharest (Romania, Moldova) 


Of f i ce : 

Mobile; | 

| pic.fbi .gov 


bl 

b3 


he 

blC 


be 

b7C 




c? - D £- /^^V3 - y 
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-1 - 

FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 08/22/2011 


On 08/17/2011. investigating agent electronically emailed 

an 


electronic copy of a Federal Grand Jury Subpoena fo'FT 


b3 
to 6 
b7C 

to 6 
b7C 


Later the same day, 


had received the aforementioned subpoena. 


electronically replied that 





investigation on 08/17/2011 at Santa Ana, California 

File# 2 8 8A-LA-258335 ~ , Date dictated 

by SA I 


Jo 6 
b7C 


This document contains neither recommendations nor conclusions of the FBI. 
it and its contents ^are not to be distributed outside ymir agency. 


It is the property of the FBI and is loaned to your agency; 


2Z%fl-LA-Z53335-d. 





\ 
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FD-340 (Rev. 4-! 1-03) 
File Number 


Field Office Acquiring Evidence 


Serial # of Originating Document _____ 

7/ J&/ 2-0 // 



Date Rece ived 
From 


(Name of Contributor/Interviewee) 


(Address) 


(City and State) 



To Be Returned □ Yes 

Receipt Given D Yes 
Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 
Federal Rules of Criminal Procedure 

□ Yes 

Federal Taxpayer Information (FTI) 

□ Yes 

Title: 



Reference: 


(Communication Enclosing Material) 


Description. 




Original notes re interview of 


/)/-n &7/zf*/*ou 




( 





(Rev. 05-01-2008) 


• • 

UNCLASSIFIED 

FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 

To: Los Angeles 

From: 


Date: 07/26/2011 


Los Ange les 
Squad | 


Contact: SA 


Approved By : | 

Drafted By:' | 

Case ID # :i/b 8A-LA-258335 
Title : 


jhf 

(Pending) 2 . 


cPr~tA rAir -F 


LULZSEC - SUBJECT (S); 

ONEWEST BANK - VICTIM 
COMPUTER INTRUSION 
00: LA 

Synopsis: Request that the captioned matter be opened and 

assigned to the investigating agent. 

Details: On 07/26/2011, writer received information indicating 

that OneWest Bank was being targeted by LulzSec for a DDoS 
attack. Additional information indi cated that the computer 
security contact at OneWest Bank was 

at | 1 



On 07/26/2011, writer telephonically contacted 


I ~~| confirmed that OneWest had received an email, signed by 

LulzSec. In the email, LulzSec indicated that they intended to 
launch a month-long D DoS attack against OneWest. Additional 
information regarding I l interview can be found in an 

associated FD-302. 

Based on the aforementioned information, writer 
requests that the captioned matter be opened and assigned to the 
writer . 


♦♦ 


UNCLASSIFIED 



b6 

b7C 


b6 

b7C 


b6 
b 7 C 


bo 

b7C 


Z.07 j p ■£ o Z / w ft/ 


288A-Ltf-2Sg33S-H 



FD-302 (Rev. 10-6-95) 


V 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 07 / 27 /2011 


On 07/26/2011, | 

for OneWest Bank, ernail aririrsfes o f |jowb. com , busin_ess~ 

telephone numbe r of and cellular telephone number of 

I I was telephor^cally contacted at his business telephone 

number . After being advised of the identity of the investigating 
agent and the nature of the interview, the following information 
was provided: 


weeks . 


Ihas been working for OneWest for about seven (7) 


| stated that OneWest had received an email from a 
group identified as LulzSec. In the email, LulzSec indicated that 
they were going to launch a month-long DDoS attack against OneWest 
Bank and try to put OneWest Bank out of business. The email also 
indicated that the DDoS attack would be launched on 08/01/2011. 

^ JLhs^LuTzSec emaU appears to have originated from a~~Yahoo 

'account of arcanobacter70yah9O. com or someone at UnSW'esL " 

"had done some researcn and determined that the word arcanobacter 
originated from a word describing some type of bacteria or virus. 

I ~| had information indicating that LulzSec would 

first utilize a sequel injection attack to obtain confidential 
information from the OneWest Bank computer systems. Next, LulzSec 
was likely to launch a DDoS attack against OneWest Bank's computer 
systems . 

| stated that OneWest Bank has computer servers at 
i-wn (?) nrimarv ard 1 i t i <=»« . One (1) computer facility is located 

irl p nd the second facility is located in 

[ suspected that the DDoS attack would be 
iduncueu au une or both of these facilities. 

|and the OneWest Bank organization have contracted 
with an Internet security company called Qwest to have Qwest re- 
direct the large majority of DDoS traffic that LulzSec might direct 
at OneWest Bank servers. 


Bank because oj 


(suggested that LulzSec might be targeting OneWest 
)neWest Bank's involvement with the Robo-Signing 


Investigation on 07/26/2011 

File # 288A-LA-258335-3 


Santa Ana, California 


(telephonically) 


Date dictated 


by SA 


This document contains neither recommendations nor conclusions of the FBI, It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


X 0?- 


A- LA-252335-3 




FD-302a (Rev. 10-6-95) 




288A-LA-258335 


J | b 6 

.On 07/26/2011 , Page 2 b7C 


Loan Scandal. OneWest Bank and several other banks had been 

implicated in the Robo-Signing Loan Scandal. LulzSec might see 

themselves as a defender of public interest. Hence, LulzSec might 

see a DDoS attack against OneWest Bank as a means to vin dicate be 

those people affected by the Robo-Signing Loan Scandal. was B7C 

not aware of any other reasons why LulzSec would single out OneWest 
Bank for a DDoS attack. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 08/22/2011 

On 08/22/2011, investigating agent received information 

confirming that a conv of a Federal Grand Jury Subpoena fori 

at 12:57:52 PDT had been faxed to| 


b3 

b6 

b7C 



investigation on 08/22/2011 at Santa Ana, California 
File# 288A-LA-258335 Lf Date dictated 

by SA I I 


b6 

b7C 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and ite contents are not to be distributed outside your agency. 


2* 3 9 s) ^ HP 


222ft-Lft-2S833S-H 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 07 / 27 /2011 


On 07/26/2011, 


for OneWest Bank, business address of 888 East Walnut Street, 
Pasadena, Calif ornia, 91101, email address of 


Jjowb.com, business teleohone nur 

fiber of 1 

and cellular telephone number of 

emailed the 


investigating agent the following information: 


| |forwarded a copy of the email received from 

LULZSEC. The subject of the email referred to "payback for your 
banking practices". The body of the email referred to LulzSec 
launching a month long DDoS against OneWest Bank to put OneWest out 
of business. The email was dated July 19, 2011. 


A printout of the email 


is attached to this document. 



Investigation on 


07/27/2011 at Santa Ana, California 


File # 288A-LA-258335 ■ 

by 


Date dictated 


SA 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 

28SA- LA-252335 -5 




b 6 
b7C 


^ 1/1 



payback for your banking practices 


payback for your banking practices 

Arcanobacter Hemolyticum [arcanobacter7@yahoo.com] 

Sent: Tuesday, July 19, 2011 12:57 PM 

To: OWB-CREG-Service [OWB-CREG-Service@owb.com] 

come Aug 1, we plan to launch a month long DDOS and put you slimeballs out of business. 
HACKERS UNITE !! 


LULZSEC 



FEDERAL BUREAU OF INVESTIGATION 


On 08/01/2011, 


.Zl 


Date of transcription 08/05/2011 


for OneWest Bank, business address of 888 East Walnut Street , 
Pasadena, California^ 911 01, efhail. address of 


[ 


lowb.com, business telephone number of I 
elephone number of I l emailea 


ana cellular telephone 
investigating agent the fallowing information: 


TKe 


b6 

b7C 


[ 


OneWest Bank employees f 


Jwere also 


recipients of the email. 


Inoted that there has 

J J 1 _ J_T 


In the body of the email, 

been an increase in reconnaissance activities directed at the 
OneWest Bank computers. In particular, there have been about 1000 
plus recon naissance probes from Chinese Internet Protocol (IP) 
addresses. I ~l noted th at actual DDoS attacks are preceded 

by reconnaissance attacks. | H further describes steps that 

OneWest Bank is taking to address issues related to a suspected 
nnoS at.t-.a rk. Details of these steps are provided in the body of 


be 

b7C 



A printout of the email is attached to this document. 


investigation on 08/05/2011 at Santa Ana, California 

File it 28 8A— LA— 258335 Date dictated 

by SA ' 


be 

b7C 


This document contains neither recommendations nor conclusions of the FBI. 
it and its contents are not to be distributed outside your agency. 

A 4~ 


It is the property of the FBI and is loaned to your agency; 


Z17 


2SSrf-£/!-25S33S-6 





LulzSec Update 

LulzSec Update 


* * 

v *-» 


Page 1 of 1 


Sowb.com] 

Sent ; Monday, August 01, 2011 1:34 PM, 

To; 

Cc: 


be 

blC 


Helld 


Just a quick update on where we currently stand: 


b6 


1 ) 

2 ) 


We have not seen an increase in unusual activity other than the penetration testing thatj 
doing. They started this work last Saturday. 


bre 


b7C 


b7E 


We have seen an increase in reconnaissance activities, specifically about a 1000 plus probes com ing from a 

Chinese IP address which we are watching, but as vet nothing has materialized. We will have the 

| It should be 

noted that all actual attacks are preceded by reconnaissance attacks 


3) 


activities is COB on Wednesday August 3, 201 1 


J Our target completion date for these remediation 


b7E 


4) We are in the process of removing all systems from thd 


that do not need to be there 


5) 


jThey should have these vulnerabilities remediated by COB on Wednesday August 3, 201 1 


6) We are waiting for a confirmation on the pricing I 
COB tomorrow, Tuesday. We will then need| 


and h ope to have this inform ation by 
Approval to purchase! 


b6 

b7C 

b7E 


7) The network Risk Assessment has been completed and we are focusing on the critical and high risk items first 


8) The database scanning has been completed and the vulnerabilities have been turned over to the database 
teams to fix. We have asked the databases team to get back to us with a remediation plan by COB today. 


b7E 


I will be sending out updates to everyone on a daily basis. 

Please let me know if you have any questions 
Best regards 


One West Bank 
888 East Walnut Street 
Pasadena, C ^ 91101 
Work. 

Cell 
e-mail 



bo 

b7C 


https://www.324mail.com/owa/?ae=Item&t=IPM.Note&id=RgAAAAADqFeC%2bw90RrweiMTRj lUvB... 8/5/20 1 1 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 


Date: 12/21/2011 


To: Los Angeles 


From : Los Angeles 

Contact : SA 

Approved By: 

Drafted By: 

Case ID #: I I (Pe nding) — ”7 

I I (Pending) — ^ 

Title: VICTIM NOTIFICATION FORM 

Synopsis: Victim contact information 

Reference: 288A-LA-258335 Serial 1 


1 A A///( 



Details : 


VnsCase# 

288A-LA-258335 

CAgtName 

1 

PContact 

Business 

BusName 

BusEIN 

Onewest Bank 

BusAcct 

VicFirN 

VicMidN 

Security 

VicLastN 

Chief 

SSAN 

- 

VicDate 

VicDOD 

VicMinor 

DOB 

Race 

Sex 

Addr 

Addr2 

20110726 

City 

State 

CA 

Country 

Zip 

Email 

US 

HPhone 

Fax 



be 

hi C 


he 

hi C 


he 

hi C 


hi A 
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To: Los Angeles “rom: Los Angeles 

Re: 288A-LA-258335, 12/21/2011 


VWrkAddr : * 888 East Walnut St 
VWrkadd2 : 

VWrkCity: Pasadena 
VWrkSt : CA 
VWrkCtry : US 
VWrkZip : 91101 
WEmail : 

WPhone : 6265354451 
WFax : 

VicPager : 

NOKFirN : 

NOKMidN : 

NOKLastN : 

NOKRel : 

NOKAddr : 

NOKAddr2 : 

NOKCity : 

NOKState : 

NOKCtry : 

NOKZip : 

NOKHEmal : 

NOKWEmal : 

NOKHPho : 

NOKWPho : 

NOKHFax : 

NOKWFax : 

NOKPager : 

GrdFirN : 

GrdMidN : 

GrdLastN : 

GrdRel : 

GrdAddr : 

GrdAddr2 : 

GrdCity : 

GrdState : 

GrdCtry : 

GrdZip : 

GrdHEmal : 

GrdWEmal : 

GrdHPho : 

GrdWPho : 

GrdHFax : 

GrdWFax : 

GrdPager : 

PropRet : N 
TotLoss : 000000000 
Lang. : 

Disable : 


Los Angeles *rom: Los Angeles 

288A-LA-258335 , 12/21/2011 


UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 01/18/2012 

To: Los Angeles 


From: 


Los Angeles 


1 


Contact : 
Approved By: 
Drafted By: 


SA 


^ 2 /f/'/’k 

t jhf 





Case ID #: 288A-LA-258335-' < £ (Pending) 

Title: LULZSEC - SUBJECT (S); 

•ONEWEST BANK - VICTIM 
COMPUTER INTRUSION 
00 : LA 


be 

b7C 


Synopsis: Request that captioned investigation be closed 

administratively. 

Details: Writer requests that captioned investigation be closed 

administratively. Subject (s) threatened to launch a Denial-Of- 
Service (DDoS) attack against OneWest Bank computers. A DDoS 
attack was never launched against OneWest Bank's computers and 
consequently OneWest did not sustain a significant financial 
loss. Therefore, this' investigation does not meet the minimal 
loss amount guidelines for a Federal violation 



Writer has verified that there are no IB, 1C or ID 
items assigned to the captioned investigation. Therefore, there 
is no need for a disposition of evidence. 


Consequently, writer requests that the captioned 
investigation be closed administratively. 


♦♦ 


UNCLASSIFIED 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 


Date: 06/06/2011 


To : Tampa 


From: Tampa 


Contact: SA 


Approved By: 
Drafted By: 


A — 


Case ID #: V 288A-TP-NEW (Pending) 

1 ^ 3 c l " 1 

Title: LULZSEC - SUBJECT 

COMPUTER INTRUSION - CRIMINAL 

■Synopsis: Open and assign case. 


INDEX 



INITIALS 


Details: Writer ha s developed CHS | 

l int erne t hacker group LULZSEC. LULZSEC is 
believed to be a splinter group of Anonymous. Anonymous is a 
global hacking group which has committed computer intrusions into 
many U.S. businesses and government groups. 

| is providing, significant information on 
the identity of the members of LULZSEC. 

Writer requests to open and assign case. 


UNCLASSIFIED 




4 h- 
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UNCLASSIFIED 

FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 

To : Cyber 


From: Tampa 



Case ID #: 288A-TP-73999 (Pending) 


Title: LULZSEC - SUBJECT 

COMPUTER INTRUSION - CRIMINAL 

Synopsis: Request case funds.' 

Details: Writer requests funds for the support of captioned 

investigation . 


FBI Tampa has developed a CHS who is current! 



In order to successfully operate CHS and 



Date: 06/06/2011 

Attn: CCU 

ASC 
SSA 






UNCLASSIFIED 


To : Cyber From : Tampa 

Re: 288A-TP-73999 , 06/06/2011 


LEAD ( s ) : 

Set Lead 1: (Action) 

CYBER 

AT CCU-1 


Transfer requested funds to 


♦♦ 


UNCLASSIFIED 



Working Copy 


Precedence : ROUTINE 

To : Cyber 

Charlotte 

New York 
Tampa 

From: Charlotte 

Squad 7 /Cyber 
Contact : SA [ 


Approved By: 

Drafted By: 

Case ID # : I ~ 

288A-TP- 73 999 


Date: 06/16/2011 


Attn: 

ccs/ccu 

SSA 

SSA 

Attn: 

SSA 

ASAC 


ASAC 

Attn: 

SSA 

SA 


SA 

Attn: 

SA 




(Pending) 

(Pending) 



Title: 


LULZSEC - SUBJECT; 

COMPUTER INTRUSION - CRIMINAL 
(288A-TP-73999) 

Synopsis: This Electronic Communication (EC) will document a 

oint Charlotte, 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence : 



Cyber 


ROUTINE 


Charlotte 
New York 


Date: 06/30/2011 


Attn : 


Attn : 


Attn : 


CCS /ecu 

SSA 



b6 

b7C 


Tampa 


Attn: ,/SA 


From: Charlotte 

CY-l/Cyber 

Contact: SA 

SA 


Approved By: 


Drafted 
Case ID 


By: 

#:[ 


:p:a 




288A-TP-73999 


] (Pending) 
(Pending) -/a 


Title : 


b7A 


LULZSEC - SUBJECT; 

COMPUTER INTRUSION - CRIMINAL 
(288A-TP-73999) 

Syn opsis: To document the approval of Charlotte and Tampa CHSs 

for | 


b7D 

b7E 


Reference : 


2yaA-TP-/jyyy Serial 4 


b7A 



UNCLASSIFIED 



Source ID:| 

Date: 06/16/2011 

Case Agent Name ] ~ 

Field Office/Division: Tampa 

Squad: SQUAD EIGHT 


Date of Contact: 06/16/2011 

List all present including Writer 
yourself. 

(Do not include 
the CHS.): 

Type of Contact: e-Mail 


SIFIED 


FEDERAL BUREAU OF INVESTIGATION 

CHS REPORTING DOCUMENT 


HEADER 


Date of Report: 06/16/2011 




Substantive Case File Numben„288A-TP-73999 


Source Reporting: CHS provided writer wit 




Page 1 of 3 










Signed by: 



b6 

b7C 

b7D 


& Click here to sign this section 




View details 


on Thursday, June 16, 2011 3:56 PM (Eastern Standard Time). 


34 


Signed by[ 


View details 


on Wednesday, June 22, 201 1 10:11 AM (Eastern Standard Time) 


be 

b7C 


FD-1023 (07/24/2010) 


FEDERAL BUREAU OF INVESTIGATION 


Page 3 of 3 




UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 03/08/2012 


To : Tampa 

From : Tampa 

Squad 8 /Cyber 
Contact: SaT 


Approved By: 
Drafted By: 


¥ 


Case ID #: 288A-TP-73999 


|: arm - 

(Pending) 7 ^ 


Title: LULZSEC - SUBJECT 

COMPUTER INTRUSION - CRIMINAL 


Synopsis: Close case. 


be 

b7C 


INDEX 



INITIALS 


Details: Case was initiated in-order to support tasking and 

operation of CHS and to identify subjects in computer intrusions. 
CHS was very productive and information provided was used in many 
other FBI investigations . 


No further need exists to operate CHS against LULZSEC. 
Writer requests to close captioned invetigation. 


\ 

♦♦ 


UNCLASSIFIED 






03/08/12 

09:31:53 


Collected Items for a Case 
Case ID: 288A-TP-73999 


Collected Item Type: All 
Category Type: IB 

Cat/Num Acquired/ Charged Out To/ 

Barcode Office and Storage Location Type Chrged Out Reason 

NO COLLECTED ITEMS FOUND FOR SELECTED REPORT 



if 


ICMIPR05 
PAGE 1 


Contributor/ 

Description 


